s 352.44 L72REDP 1998 Legislative Audit Division StateofMontana ReporttotheLegislature June1998 EDP Follow-up Audit Report CGLUCTiO ^ATEDOCUMENTSW MOV MONTANA5**» HeJnA, Department of Revenue Thisreportprovidesthestatusofpriorrecommendationsfromanelectronic dataprocessingaudit(97DP-04)attheDepartmentofRevenue. Ofthe16 initialrecommendations,12areimplementedand4arenotimplemented. Thepriorrecommendationsnotfullyimplementedaddress: * Periodicreviewofprocessingeditadjustments. Operatingsystemsecurityprocedures. Electronicaccesscontrols. - Internalsecurityevaluations. Directcomments/inquiriesto: LegislativeAuditDivision Room135,StateCapitol POBox201705 98DP-08 HelenaMT59620-1705 MONTANASTATELIBRARY 3 0864 0014 1407 EDPAUDITS ElectronicDataProcessing(EDP)auditsconductedbytheLegislativeAuditDivisionare designedtoassesscontrolsinanEDPenvironment. EDPcontrolsprovideassuranceoverthe accuracy,reliability,andintegrityoftheinformationprocessed. Fromtheauditwork,a determinationismadeastowhethercontrolsexistandareoperatingasdesigned. Inperforming theauditwork,theauditstaffusesauditstandardssetforthbytheUnitedStatesGeneral AccountingOffice. MembersoftheEDPauditstaffholddegreesindisciplinesappropriatetotheauditprocess. Areasofexpertiseincludebusinessandpublicadministration. EDPauditsareperformedasstand-aloneauditsofEDPcontrolsorinconjunctionwith financial-complianceand/orperformanceauditsconductedbytheoffice. Theseauditsaredone undertheoversightoftheLegislativeAuditCommitteewhichisabicameralandbipartisan standingcommitteeoftheMontanaLegislature. Thecommitteeconsistsofsixmembersofthe SenateandsixmembersoftheHouseofRepresentatives. MEMBERSOFTHELEGISLATIVEAUDITCOMMITTEE LEGISLATIVE AUDIT DIVISION ScottA.Seacat,LegislativeAuditor /Sp ^_r\ DeputyLegislativeAuditors: JohnW.Northey,LegalCounsel |-Q%^5l ''mPe"egr'n*<PerformanceAudit ToriHunthausen,IT&OperationsManager r|P£pi^f§E-7 JamesGillett,Financial-ComplianceAudit June 1998 TheLegislativeAuditCommittee oftheMontanaStateLegislature: Thisisafollow-upreportofourEDPaudit(97DP-04)ofgeneralandapplication controlsattheDepartmentofRevenue. Theoriginalreportincludedrecommendations applicabletotheComputerAssistedMassAppraisalSystem(CAMAS),Revenue ControlSystem(RCS),IndividualIncomeTaxSystem(IIT),andDelinquentAccounts ReceivableSystem(DAR). Thisreportdiscussesthepriorrecommendationsnotyet fullyimplementedbythedepartment. WethanktheDepartmentofRevenuefortheircooperationandassistancethroughout thereview. Respectfullysubmittga\ ' ScottA.Seacat LegislativeAuditor Room135,StateCapitolBuildingPOBox201705 Helena,MT59620-1705 Phone(406)444-3122 FAX(406)444-9784 [email protected] TableofContents ListofTables ii ListofAppointedandAdministrativeOfficials iii ChapterI-Introduction Introduction 1 BackgroundonOriginalAudit 1 Follow-upScope 1 ChapterII-Recommenda- RecommendationStatus 3 tionStatus IncomeTaxReturnAdjustmentsShouldbeSupported 3 RestrictAccessPerJobDuties 4 DocumenttheAccessProvided 4 DisasterRecoveryPlansShouldbeCompleted 5 InternalEvaluationofSecurity 6 AgencyResponse DepartmentofRevenue 9 Page i ListofTables Table 1 ImplementationStatusofRecommendations 2 Pageii AppointedandAdministrativeOfficials DepartmentofRevenue MaryBryson,Director MikeBoyer,InformationTechnologyAdministrator JeffMiller,PolicyandPerformanceManagementManager JudyPaynter,TaxPolicyandResearchManager Pageiii Chapter I - Introduction Introduction Weperformedafollow-upreviewoftheelectronicdataprocessing audit(97DP-04)oftheDepartmentofRevenue. Theoriginalreport, issuedinDecemberof1996,contained 16recommendationsfor improvingexistingcontrolswithinthedepartment'selectronicdata processingenvironment. Thisreportoutlinesthestatusoftheprior recommendationspartiallyornotimplemented. BackgroundonOriginal Theoriginalauditreviewedgeneralcontrolsoverthedepartment's Audit AS/400computerwhichprocessespropertytaxdataforthe ComputerAssistedMassAppraisalSystem(CAMAS). Theaudit alsoevaluatedapplicationcontrolsovertheIndividualIncomeTax (IIT)system,theDelinquentAccountsReceivable(DAR)system, andCAMAS. ExceptforCAMAS,thesystemsnotedaboveprocess dataontheDepartmentofAdministration'scentralmainframe computer. Follow-upScope Theobjectiveofourfollow-upauditwastodeterminetheimple- mentationstatusoftheoriginalauditrecommendations. We intervieweddepartmentpersonnelandreviewedsupporting documentation. Listedbelowarepriorrecommendationsthe departmenthasimplementedsincetheoriginalaudit. EstablishprocedurestoensureIITaddresschangesdonotover- writeexistingDARaddressdata. DocumentIITsystemeditsformanagementandpersonnel review. DocumentandcommunicatedepartmentpolicyforadjustingIIT systemprocessingtoleranceerrors. Implementcost-effectivephysicalsecuritycontrolswithinthe computerfacility. Securebackupinformationinanoff-sitelocationawayfromthe computerfacility. EvaluateanddocumentAS/400operatingsysteminstallation parameters. DevelopsecurityproceduresovertheAS/400operatingsystem asrequiredbydepartmentpolicy. ImplementprocedurestorequireuserstochangetheirCAMAS systempasswords. ReviewemployeeaccessprivilegestoCAMASonascheduled basisandrestrictemployeeaccessinaccordancewithjobduties. Page Chapter I -Introduction Annuallyreviewemployee-ownedproperties,andproperties ownedbytheirfamilymembers,toensurecompliancewith departmentpolicy,whichprohibitsemployeesfrommaking systemchangestothosepropertiesinCAMAS. Establishprocedurestoensureinternalauditrecommendations forCAMASareimplemented. Overallauditresultsareoutlinedbelow. Table1 ImplementationStatusofRecommendations Implemented NotImplemented TotalRecommendations Page2